From: Daniel Stenberg Date: Thu, 9 Oct 2025 20:10:32 +0000 (+0200) Subject: RELEASE-NOTES: synced X-Git-Tag: rc-8_17_0-1~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eb3a4314fee5e27dc815a6ef3df632718f6ea823;p=thirdparty%2Fcurl.git RELEASE-NOTES: synced --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 47c7dd5255..44ef5ddfc1 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -8,6 +8,7 @@ curl and libcurl 8.17.0 This release includes the following changes: + o build: drop Heimdal support [267] o build: drop the winbuild build system [81] o krb5: drop support for Kerberos FTP [43] o libssh2: up the minimum requirement to 1.9.0 [85] @@ -22,6 +23,7 @@ This release includes the following changes: This release includes the following bugfixes: o ares: fix leak in tracing [91] + o asyn-ares: use the duped hostname pointer for all calls [158] o asyn-thrdd resolver: clear timeout when done [97] o asyn-thrdd: drop pthread_cancel [30] o autotools: add support for libgsasl auto-detection via pkg-config [112] @@ -49,11 +51,13 @@ This release includes the following bugfixes: o checksrc: fix to handle `)` predecing a banned function [229] o checksrc: reduce directory-specific exceptions [228] o cmake/FindGSS: fix `pkg-config` fallback logic for CMake <3.16 [189] + o cmake/FindGSS: whitespace/formatting [268] o cmake: add `CURL_CODE_COVERAGE` option [78] o cmake: build the "all" examples source list dynamically [245] o cmake: clang detection tidy-ups [116] o cmake: drop exclamation in comment looking like a name [160] o cmake: fix building docs when the base directory contains `.3` [18] + o cmake: minor Heimdal flavour detection fix [269] o cmake: support building some complicated examples, build them in CI [235] o cmake: use modern alternatives for `get_filename_component()` [102] o cmake: use more `COMPILER_OPTIONS`, `LINK_OPTIONS` / `LINK_FLAGS` [152] @@ -65,6 +69,7 @@ This release includes the following bugfixes: o curl_easy_getinfo: error code on NULL arg [2] o curl_mem_undef.h: limit to `CURLDEBUG` for non-memalloc overrides [19] o curl_osslq: error out properly if BIO_ADDR_rawmake() fails [184] + o Curl_resolv: fix comment. 'entry' argument is not optional [187] o curl_slist_append.md: clarify that a NULL pointer is not acceptable [72] o CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well [8] o CURLOPT_COOKIEFILE.md: clarify when the cookies are loaded [159] @@ -81,6 +86,7 @@ This release includes the following bugfixes: o docs: fix/tidy code fences [87] o easy_getinfo: check magic, Curl_close safety [3] o examples/sessioninfo: cast printf string mask length to int [232] + o examples/sessioninfo: do not disable security [255] o examples/synctime: make the sscanf not overflow the local buffer [252] o examples/usercertinmem: avoid stripping const [247] o examples: drop unused `curl/mprintf.h` includes [224] @@ -96,7 +102,11 @@ This release includes the following bugfixes: o ftp: improve fragile check for first digit > 3 [194] o ftp: remove misleading comments [193] o gtls: avoid potential use of uninitialized variable in trace output [83] + o hostip: don't store negative resolves due unrelated errors [256] o hostip: remove leftover INT_MAX check in Curl_dnscache_prune [88] + o http2: check push header names by length first [261] + o http2: cleanup pushed newhandle on fail [260] + o http2: ingress handling edge cases [259] o http: handle user-defined connection headers [165] o http: make Content-Length parser more WHATWG [183] o httpsrr: free old pointers when storing new [57] @@ -105,6 +115,7 @@ This release includes the following bugfixes: o ip-happy: do not set unnecessary timeout [95] o ip-happy: prevent event-based stall on retry [155] o krb5: return appropriate error on send failures [22] + o krb5_gssapi: fix memory leak on error path [190] o krb5_sspi: the chlg argument is NOT optional [200] o ldap: do not base64 encode zero length string [42] o ldap: tidy-up types, fix error code confusion [191] @@ -114,6 +125,8 @@ This release includes the following bugfixes: o lib: upgrade/multiplex handling [136] o libcurl-multi.md: added curl_multi_get_offt mention [53] o libcurl-security.md: mention long-running connections [6] + o libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume [263] + o libssh2/sftp: fix resume corruption by avoiding O_APPEND with rresume [262] o libssh2/sftp_realpath: change state consistently [185] o libssh2: bail out on chgrp and chown number parsing errors [202] o libssh2: clarify that sshp->path is always at least one byte [201] @@ -137,6 +150,7 @@ This release includes the following bugfixes: o mbedtls: check result of setting ALPN [127] o mbedtls: handle WANT_WRITE from mbedtls_ssl_read() [145] o mdlinkcheck: reject URLs containing quotes [174] + o memdup0: handle edge case [241] o multi.h: add CURLMINFO_LASTENTRY [51] o multi_ev: remove unnecessary data check that confuses analysers [167] o nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header [227] @@ -157,6 +171,7 @@ This release includes the following bugfixes: o openssl: clear retry flag on x509 error [130] o openssl: fail the transfer if ossl_certchain() fails [23] o openssl: fix build for v1.0.2 [225] + o openssl: fix peer certificate leak in channel binding [258] o openssl: make the asn1_object_dump name null terminated [56] o openssl: set io_need always [99] o openssl: skip session resumption when verifystatus is set [230] @@ -168,19 +183,24 @@ This release includes the following bugfixes: o quic: ignore EMSGSIZE on receive [4] o quiche: fix possible leaks on teardown [205] o quiche: fix verbose message when ip quadruple cannot be obtained. [128] + o quiche: handle tls fail correctly [266] o quiche: when ingress processing fails, return that error code [103] o runtests: tag tests that require curl verbose strings [172] o rustls: fix clang-tidy warning [107] o rustls: fix comment describing cr_recv() [117] + o rustls: pass the correct result to rustls_failf [242] o rustls: typecast variable for safer trace output [69] o rustls: use %zu for size_t in failf() format string [121] o sasl: clear canceled mechanism instead of toggling it [41] o schannel: assign result before using it [62] + o schannel_verify: fix mem-leak in Curl_verify_host [208] o schannel_verify: use more human friendly error messages [96] o setopt: accept *_SSL_VERIFYHOST set to 2L [31] + o setopt: allow CURLOPT_DNS_CACHE_TIMEOUT set to -1 [257] o setopt: make CURLOPT_MAXREDIRS accept -1 (again) [1] o smb: adjust buffer size checks [45] o smtp: check EHLO responses case insensitively [50] + o socks: deny server basic-auth if not configured [264] o socks: handle error in verbose trace gracefully [94] o socks: handle premature close [246] o socks: make Curl_blockread_all return CURLcode [67] @@ -231,6 +251,7 @@ This release includes the following bugfixes: o tool_getparam: always disable "lib-ids" for tracing [169] o tool_getparam: warn if provided header looks malformed [179] o tool_operate: improve wording in retry message [37] + o tool_operate: keep failed partial download for retry auto-resume [210] o tool_operate: keep the progress meter for --out-null [33] o tool_progress: handle possible integer overflows [164] o tool_progress: make max5data() use an algorithm [170] @@ -239,8 +260,10 @@ This release includes the following bugfixes: o unit1664: drop casts, expand masks to full values [221] o url: make Curl_init_userdefined return void [213] o urldata: FILE is not a list-only protocol [9] + o vauth/digest: improve the digest parser [203] o vquic: fix idle-timeout checks (ms<-->ns), 64-bit log & honor 0=no-timeout [249] o vquic: handling of io improvements [239] + o vquic: sending non-gso packets fix for EAGAIN [265] o vtls: alpn setting, check proto parameter [134] o vtls_int.h: clarify data_pending [124] o vtls_scache: fix race condition [157] @@ -276,17 +299,18 @@ Planned upcoming removals include: This release would not have looked like this without help, code, reports and advice from friends like these: - Adam Light, Alice Lee Poetics, Andrew Kirillov, Andrew Olsen, - BobodevMm on github, Christian Schmitz, Dan Fandrich, Daniel Stenberg, - Daniel Terhorst-North, dependabot[bot], divinity76 on github, - Emilio Pozuelo Monfort, Ethan Everett, Evgeny Grin (Karlson2k), - fds242 on github, Howard Chu, Ignat Loskutov, Javier Blazquez, Jicea, - jmaggard10 on github, Johannes Schindelin, Joseph Birr-Pixton, Joshua Rogers, - kapsiR on github, kuchara on github, Marcel Raad, Michael Osipov, - Michał Petryka, Mohamed Daahir, Nir Azkiel, Patrick Monnerat, Pocs Norbert, - Ray Satiro, renovate[bot], rinsuki on github, Samuel Dionne-Riel, - Samuel Henrique, Stanislav Fort, Stefan Eissing, Viktor Szakats - (40 contributors) + Adam Light, Alice Lee Poetics, Andrei Kurushin, Andrew Kirillov, + Andrew Olsen, BobodevMm on github, Christian Schmitz, Dan Fandrich, + Daniel Stenberg, Daniel Terhorst-North, dependabot[bot], + divinity76 on github, Emilio Pozuelo Monfort, Ethan Everett, + Evgeny Grin (Karlson2k), fds242 on github, Howard Chu, Ignat Loskutov, + Javier Blazquez, Jicea, jmaggard10 on github, Johannes Schindelin, + Joseph Birr-Pixton, Joshua Rogers, kapsiR on github, kuchara on github, + Marcel Raad, Michael Osipov, Michał Petryka, Mohamed Daahir, Nir Azkiel, + Patrick Monnerat, Pocs Norbert, Ray Satiro, renovate[bot], rinsuki on github, + Samuel Dionne-Riel, Samuel Henrique, Stanislav Fort, Stefan Eissing, + tkzv on github, Viktor Szakats + (42 contributors) References to bug reports and discussions on issues: @@ -447,6 +471,7 @@ References to bug reports and discussions on issues: [155] = https://curl.se/bug/?i=18815 [156] = https://curl.se/bug/?i=18893 [157] = https://curl.se/bug/?i=18806 + [158] = https://curl.se/bug/?i=18980 [159] = https://curl.se/bug/?i=18924 [160] = https://curl.se/bug/?i=18810 [161] = https://curl.se/bug/?i=18749 @@ -475,8 +500,10 @@ References to bug reports and discussions on issues: [184] = https://curl.se/bug/?i=18878 [185] = https://curl.se/bug/?i=18875 [186] = https://curl.se/bug/?i=18874 + [187] = https://curl.se/bug/?i=18979 [188] = https://curl.se/bug/?i=18940 [189] = https://curl.se/bug/?i=18932 + [190] = https://curl.se/bug/?i=18976 [191] = https://curl.se/bug/?i=18888 [192] = https://curl.se/bug/?i=18873 [193] = https://curl.se/bug/?i=18871 @@ -489,10 +516,13 @@ References to bug reports and discussions on issues: [200] = https://curl.se/bug/?i=18865 [201] = https://curl.se/bug/?i=18864 [202] = https://curl.se/bug/?i=18863 + [203] = https://curl.se/bug/?i=18975 [204] = https://curl.se/bug/?i=18859 [205] = https://curl.se/bug/?i=18880 [206] = https://curl.se/bug/?i=18868 [207] = https://curl.se/bug/?i=18872 + [208] = https://curl.se/bug/?i=18972 + [210] = https://curl.se/bug/?i=18035 [211] = https://curl.se/bug/?i=18860 [212] = https://curl.se/bug/?i=18858 [213] = https://curl.se/bug/?i=18855 @@ -522,6 +552,8 @@ References to bug reports and discussions on issues: [238] = https://curl.se/bug/?i=18829 [239] = https://curl.se/bug/?i=18812 [240] = https://curl.se/bug/?i=18703 + [241] = https://curl.se/bug/?i=18966 + [242] = https://curl.se/bug/?i=18961 [243] = https://curl.se/bug/?i=18914 [245] = https://curl.se/bug/?i=18911 [246] = https://curl.se/bug/?i=18883 @@ -531,3 +563,18 @@ References to bug reports and discussions on issues: [250] = https://curl.se/bug/?i=18432 [251] = https://curl.se/bug/?i=18881 [252] = https://curl.se/bug/?i=18890 + [255] = https://curl.se/bug/?i=18969 + [256] = https://curl.se/bug/?i=18953 + [257] = https://curl.se/bug/?i=18959 + [258] = https://hackerone.com/reports/3373640 + [259] = https://curl.se/bug/?i=18933 + [260] = https://curl.se/bug/?i=18931 + [261] = https://curl.se/bug/?i=18930 + [262] = https://curl.se/bug/?i=18952 + [263] = https://curl.se/bug/?i=18952 + [264] = https://curl.se/bug/?i=18937 + [265] = https://curl.se/bug/?i=18936 + [266] = https://curl.se/bug/?i=18934 + [267] = https://curl.se/bug/?i=18928 + [268] = https://curl.se/bug/?i=18957 + [269] = https://curl.se/bug/?i=18951